Data is arguably the most prolific and most valuable of resources. As such, it needs to be protected both as a company asset and in keeping with data privacy laws. Data protection is most acute in healthcare, which is something of a latecomer to fast-evolving heterogeneous electronic environments in the cloud. Indeed, healthcare had to “fast forward” to meet a rush of legislation and new working methodologies. In the blink of an eye, the playing field has changed dramatically. It continues to evolve as medical practitioners bring their own devices into hospitals and surgeries, patients consult with their physicians over Skype and online chat, and Electronic Health Records transit between healthcare Business Associates and government and reimbursement agencies.
Featured Download: CISO Data Breach Guide
A complete security risk assessment is the sensible starting point for HIPAA compliance, one which reviews cloud, mobile, users, access controls, legacy systems, and the entire data operation. When it comes to cloud computing in the age of HIPAA Compliance, encryption has become the accepted best practice for ensuring privacy and control of patient data.
The U.S. Department of Health and Human Services (HHS), its Office for Civil Rights, and the National Institute of Standards and Technology (NIST) have all published lengthy guidelines on how organizations can ensure compliance. The goal, however, is short and clear: electronic Patient Health Information (ePHI) must be made unusable, unreadable, and/or indecipherable to unauthorized users.
The HIPAA Security Rule incorporates two encryption implementation standards: 164.312(a)(2)(iv), which sets out the method for encrypting and decrypting ePHI; and 164.312(e)(2)(ii), which dictates how to implement a mechanism for encrypting ePHI “whenever deemed appropriate.” The good news is that if you implement encryption–especially the management of encryption keys–correctly, the HHS guidance enables you to claim safe harbor. This means that even in the case of a breach, no patient data would be exposed since it was all encrypted in the first place.
Proper management of encryption keys has to do with ownership. To reach a safe harbour status, you should be able to show that you kept the encryption keys to yourself and that the “master keys” were not in the cloud when (or if) a breach occurred. Take a look at technologies like split-key encryption or homomorphic key management to see how this can be achieved.
Ultimately, whatever type of cloud you use for processing your data, not to mention the apps or services you source from the cloud, the rule of thumb holds true: your data is secure and enjoys HIPAA “safe harbor” when it’s encrypted. And encryption only makes sense if you hold onto the encryption keys.
By Gilad Parann-Nissany, Founder and CEO, Porticor Cloud Security
Bio: Gilad Parann-Nissany is the founder and CEO of Porticor Cloud Security. He is a pioneer in the field of cloud computing who has built SaaS clouds, contributed to SAP products and created a cloud operating system. He has written extensively on the importance of cloud encryption and encryption key management for PCI and HIPAA compliance.